Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

Created on ‎01-17-2024 11:45 PM

Geo blocking issue for LAN network

Hi Team,

 

We are facing issue after enabling Geo blocking for other country except India.

 

Policy which I have configured -

 

Incoming interface - SDWAN interface

Outgoing Interface - Vlan Interface.

Source country - India

Destination - VIP

NAT - Natted IP (1.1.1.1-100.100.100.1) For example

Policy - Accept

 

Issue  that has been observed - Internal servers are not able to access site - for example - www.xxx.com

which VIP is mapped with this policy

 

When I enabled source - ALL that time is everything is going on smoothly.

 

thank you.

 

 

 

 

 

Labels:
1273
0 Kudos
1 Solution
Umesh
Contributor

Created on ‎01-18-2024 11:12 PM Edited on ‎01-18-2024 11:14 PM

Hello team,

 

I have followed below Geo IP code from documents of Fortigate after that issue has been resolved.

 

Steps have been taken by as follows:

1. Source country have chosen - India

2. Create one test Geo location added in the policy - Set country ZZ.

 

Below is the link: for Specials code of Geo IP

 

ZZ - Reserved (IP addresses that are not assigned, e.g., 10.0.0.0/24)

For more information please refer the below documents.

https://docs.fortinet.com/document/fortiadc/7.4.1/handbook/522244/special-geo-codes

 

Thank you.

View solution in original post

1204
0 Kudos
5 REPLIES 5
abarushka
Staff
Staff

Created on ‎01-18-2024 01:59 AM

Hello,

 

Is there particular reason why traffic is NATed?

 

Moreover, you may consider to verify GEO IP category:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Commands-to-verify-GeoIP-information-and/t...

FortiGate
1247
pminarik
Staff
Staff

Created on ‎01-18-2024 02:30 AM

If this policy is used for access from LAN devices as well (~hairpin NAT), you will need to add your local subnets into the list of permitted sources in that policy.

[ corrections always welcome ]
1240
0 Kudos
Jakob-AHHG
Contributor II

Created on ‎01-18-2024 03:57 AM

Hi Umesh,

You had another thread with the initial configuration of this as well, so not sure what you ended up with, but:

1: Does this work when you disable this rule?
2: This seems to be a Firewall rule, no a Local In rule, so it will block you other local servers from accessing the server on VirtualIP NAT.

 

I would:

1: Make sure everything works on a routing level, without this rule enabled.

2: Make internal DNS that points to 'www.xxx.com' on the internal IP - unless you have a Very good reason to access that server via the public IP (making more load on the firewall!)

 

It would also be helpful to know, if you're setting up a new firewall or this is an existing installation you try to 'harden'.

Jakob Peterhänsel,
IT System Admin,
Arp-Hansen Hotrel Group A/S, Copenhagen, DK
Jakob Peterhänsel,IT System Admin,Arp-Hansen Hotrel Group A/S, Copenhagen, DK
1222
Umesh
Contributor

Created on ‎01-18-2024 11:08 PM

not resolved the issue

1207
0 Kudos
Umesh
Contributor

Created on ‎01-18-2024 11:12 PM Edited on ‎01-18-2024 11:14 PM

Hello team,

 

I have followed below Geo IP code from documents of Fortigate after that issue has been resolved.

 

Steps have been taken by as follows:

1. Source country have chosen - India

2. Create one test Geo location added in the policy - Set country ZZ.

 

Below is the link: for Specials code of Geo IP

 

ZZ - Reserved (IP addresses that are not assigned, e.g., 10.0.0.0/24)

For more information please refer the below documents.

https://docs.fortinet.com/document/fortiadc/7.4.1/handbook/522244/special-geo-codes

 

Thank you.

1205
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.